Microsoft Azure and Collection, Storage, and Use of Biometrics Illinois BIPA Class Action

Microsoft Corporation owns Microsoft Azure, which allows it to offer two platforms, one called simply Azure and Azure Cognitive Services (ACS), which may, among other things, allow the collection, storage, or use of biometrics among their operations. The complaint for this class action alleges that Microsoft has violated an Illinois law called the Biometric Information Privacy Act (BIPA) that applies to those in that state.

The class for this action is all Illinois residents whose biometric identifiers or biometric information was collected, captured, obtained, stored, used, transmitted, or disseminated by Microsoft, through products or services that interfaced with or integrated Azure or ACS.

The complaint defines Azure as “a public cloud” that lets users “build and deploy applications; store data; deliver software on demand; and analyze data using machine learning and artificial intelligence” and ACS as “cloud-based artificial intelligence services that help developers build cognitive solutions (that can see, hear, speak, and analyze) into their applications.”

As an example of their use, it explains the workings of a client called Brainshark, which offers training and video coaching for salespeople.

With Brainshark, the complaint says, “a salesperson may (1) record a video of herself and upload it to Brainshark’s platform as to then (2) receive feedback (generated automatically by Machine Analysis) regarding their elevator pitch, responses to common objections, and/or other efforts to refine their skills. This feedback includes ‘emotion analysis’ and ‘personality insights’ that are informed by an analysis of the salespeople’s facial expressions.”

To performs these services, Brainshark collects, stores, and uses the salespersons’ biometrics when it scans their facial geometry. In the process, the complaint alleges, while Brainshark is using Azure or ACS, Microsoft is doing the same.

Microsoft sells access to these tools not just to Brainshark but to other parties that the complaint calls “Biometrics Products and/or Services that interface with and/or integrate Azure and/or ACS,” or BPSAA, who also collect, store, and use biometrics.

BIPA requires that private businesses that want to collect, store, or use the biometrics of individuals in Illinois do a number of things, and the complaint alleges that Microsoft does not do them:

• It does not adequately inform the subjects that their information is being collected, stored, or used.
• It does not adequately inform the subjects of the specific purpose and length of time for which their biometrics are being collected, stored, and used.
• It does not get written releases from the subjects.
• It does not provide any retention or destruction policies.

The complaint alleges that the risks of the theft of biometrics are much greater than the risks of theft with other identifying information, for example, badge or credit cards, because biometrics, once stolen, cannot be cancelled or replaced.

Article Type: Lawsuit
Topic: Privacy
Tags: BIPA, Biometric Data, Facial Scans, Taking/Storing/Using Biometric Data, Your Privacy